Skip to content

oss-fuzz: heap-buffer-overflow on address 0x62b000006200

reproduce with ./build-asan/tests/dav1d_fuzzer clusterfuzz-testcase-minimized-dav1d_fuzzer-5710678279585792

clusterfuzz-testcase-minimized-dav1d_fuzzer-5710678279585792

Error parsing OBU data
=================================================================
==16444==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62b000006200 at pc 0x7f3c21239893 bp 0x7ffd403b1eb0 sp 0x7ffd403b1658
READ of size 48 at 0x62b000006200 thread T0
    #0 0x7f3c21239892  (/usr/lib/gcc/x86_64-pc-linux-gnu/7.3.0/libasan.so.4+0x79892)
    #1 0x7f3c20efaa9d in memcpy /usr/include/bits/string_fortified.h:34
    #2 0x7f3c20efaa9d in emu_edge ../src/recon.c:475
    #3 0x7f3c20efafb2 in mc ../src/recon.c:535
    #4 0x7f3c20f0915d in dav1d_recon_b_inter_8bpc ../src/recon.c:1200
    #5 0x7f3c20e778d2 in decode_b ../src/decode.c:1743
    #6 0x7f3c20e8e4db in decode_sb ../src/decode.c:1872
    #7 0x7f3c20e8f944 in dav1d_decode_tile_sbrow ../src/decode.c:2319
    #8 0x7f3c20e9453e in dav1d_decode_frame ../src/decode.c:2664
    #9 0x7f3c20e98157 in dav1d_submit_frame ../src/decode.c:3036
    #10 0x7f3c20e638cd in dav1d_parse_obus ../src/obu.c:1088
    #11 0x7f3c20f432e7 in dav1d_decode ../src/lib.c:201
    #12 0x5620d9185f6d in LLVMFuzzerTestOneInput ../tests/libfuzzer/dav1d_fuzzer.c:82
    #13 0x5620d918573f in main ../tests/libfuzzer/main.c:87
    #14 0x7f3c2086fae6 in __libc_start_main (/lib64/libc.so.6+0x21ae6)
    #15 0x5620d9185969 in _start (/home/janne/src/dav1d/build-asan/tests/dav1d_fuzzer+0x1969)

0x62b000006200 is located 0 bytes to the right of 24576-byte region [0x62b000000200,0x62b000006200)
allocated by thread T0 here:
    #0 0x7f3c2129f980 in posix_memalign (/usr/lib/gcc/x86_64-pc-linux-gnu/7.3.0/libasan.so.4+0xdf980)
    #1 0x7f3c20e5d780 in dav1d_alloc_aligned ../include/common/mem.h:46
    #2 0x7f3c20e5d780 in default_picture_allocator ../src/picture.c:58

SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/gcc/x86_64-pc-linux-gnu/7.3.0/libasan.so.4+0x79892)
Shadow bytes around the buggy address:
  0x0c567fff8bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c567fff8c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c567fff8c10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c567fff8c20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c567fff8c30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c567fff8c40:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c567fff8c50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c567fff8c60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c567fff8c70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c567fff8c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c567fff8c90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==16444==ABORTING
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

VideoLAN code repository instance